Hacker News new | ask | show | jobs
by charcircuit 1143 days ago
This isn't about exposed credentials though. It would be like an autmatic image uploder that could pick an image hosting site such as imgur and upload the image for you and give you a link. Services are offering the ability to host images for you. You aren't stealing imgur's s3 credentials. They just let any user upload images for free despite the fact it technically costs them money to host the file for you. Similarly there are sites offering the ability to serve LLM requests for you for free.
2 comments
hombre_fatal 1143 days ago
No, the 1:1 analogy you're looking for is realizing someone has a poorly protected api.domain.com endpoint that uploads images to their S3 bucket and then using that to host your own images in their bucket instead of paying for your own.

Gpt4free uses API vulnerabilities that ultimately proxy to OpenAI's API with someone else's OpenAI credentials so that you don't have to pay for it. That's the whole gimmick.

These API endpoints aren't public service open relays which seems to be what you're trying to claim in your analogy:

- https://github.com/xtekky/gpt4free/issues/153

- https://github.com/xtekky/gpt4free/issues/125

link
charcircuit 1143 days ago
>These API endpoints aren't public service open relays which seems to be what you're trying to claim in your analogy:

The whole point of the project is that they are. It's a compilation of public, free APIs that have been found. Those issues you linked are from people who don't understand that it's expensive to run a free relay for a paid service.

link
hombre_fatal 1142 days ago
They are free public APIs the same way your misconfigured S3 bucket of dick pics is a free public porn site.

When you're so loose with words, it's impossible to even have a discussion.

link
sreejithr 1143 days ago
No service allows you to upload to some other user's Imgur account. The services like the ones you mentioned usually provide a service and do it on the user's behalf to the user's account.
link
charcircuit 1143 days ago
I am talking about not having an account. Anonymous users can call the API and have things done for them.
link